diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 5762c9cf220..6b1f77578ba 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.78, 2021-01-19
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2021-001
+
 Drupal 7.77, 2020-12-03
 -----------------------
 - Hotfix for schema.prefixed tables
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index cb70533e46a..e79c5d50942 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.77');
+define('VERSION', '7.78');
 
 /**
  * Core API compatibility.
diff --git a/modules/system/system.tar.inc b/modules/system/system.tar.inc
index 92fa5290824..0af6275b401 100644
--- a/modules/system/system.tar.inc
+++ b/modules/system/system.tar.inc
@@ -2178,6 +2178,14 @@ class Archive_Tar
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                            $this->_error(
+                                'Out-of-path file extraction {'
+                                . $v_header['filename'] . ' --> ' .
+                                $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'